Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2021-04-19 21:05:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new.12324 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Mon Apr 19 21:05:41 2021 rev:112 rq:885817 version:20.10.6_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2021-03-10 08:46:24.830217561 +0100 +++ /work/SRC/openSUSE:Factory/.docker.new.12324/docker.changes 2021-04-19 21:05:49.688013970 +0200 @@ -1,0 +2,14 @@ +Thu Apr 15 05:23:20 UTC 2021 - Aleksa Sarai <asa...@suse.com> + +- Update to Docker 20.10.6-ce. See upstream changelog in the packaged + /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1184768 +- Rebase patches: + * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch + * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +- Backport upstream fix <https://github.com/moby/moby/pull/42273> for btrfs + quotas being removed by Docker regularly. bsc#1183855 bsc#1175081 + + 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch + +------------------------------------------------------------------- Old: ---- docker-20.10.5_ce_363e9a88a11b.tar.xz docker-cli-20.10.5_ce.tar.xz docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7.tar.xz New: ---- 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch docker-20.10.6_ce_8728dd246c3a.tar.xz docker-cli-20.10.6_ce.tar.xz docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.UIwXDa/_old 2021-04-19 21:05:50.472015146 +0200 +++ /var/tmp/diff_new_pack.UIwXDa/_new 2021-04-19 21:05:50.476015152 +0200 @@ -42,24 +42,24 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version 363e9a88a11b -%define git_commit_epoch 1614234438 +%define git_version 8728dd246c3a +%define git_commit_epoch 1618005978 # We require a specific pin of libnetwork because it doesn't really do # versioning and minor version mismatches in libnetwork can break Docker # networking. All other key runtime dependencies (containerd, runc) are stable # enough that this isn't necessary. -%define libnetwork_version fa125a3512ee0f6187721c88582bf8c4378bd4d7 +%define libnetwork_version b3507428be5b458cb0e2b4086b13531fb0706e46 %define dist_builddir %{_builddir}/dist-suse %define cli_builddir %{dist_builddir}/src/github.com/docker/cli %define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork Name: %{realname}%{name_suffix} -Version: 20.10.5_ce +Version: 20.10.6_ce # This "nice version" is so that docker --version gives a result that can be # parsed by other people. boo#1182476 -%define nice_version 20.10.5-ce +%define nice_version 20.10.6-ce Release: 0 Summary: The Moby-project Linux container runtime License: Apache-2.0 @@ -92,6 +92,8 @@ Patch200: 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch # SUSE-BACKPORT: Backport of https://github.com/docker/docker/pull/37353. bsc#1073877 bsc#1099277 Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081 +Patch301: 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -257,6 +259,8 @@ %endif # bsc#1099277 %patch300 -p1 +# bsc#1183855 bsc#1175081 +%patch301 -p1 # README_SUSE.md for documentation. cp %{SOURCE103} . @@ -322,7 +326,7 @@ ################### pushd %{cli_builddir} -./scripts/build/dynbinary +make dynbinary mkdir -p ./man/man1 go build -buildmode=pie -o gen-manpages github.com/docker/cli/man ++++++ 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch ++++++ --- /var/tmp/diff_new_pack.UIwXDa/_old 2021-04-19 21:05:50.500015188 +0200 +++ /var/tmp/diff_new_pack.UIwXDa/_new 2021-04-19 21:05:50.512015206 +0200 @@ -1,7 +1,7 @@ -From 6a5d238a42b8adc5d29bbd9bd688aa1034f5cdfd Mon Sep 17 00:00:00 2001 +From 5dfd507cf2ab34a99d925eae7fa9a1a062c1930e Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 1/4] SECRETS: daemon: allow directory creation in /run/secrets +Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is @@ -70,5 +70,5 @@ return errors.Wrap(err, "error setting ownership for secret") } -- -2.30.1 +2.30.2 ++++++ 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch ++++++ --- /var/tmp/diff_new_pack.UIwXDa/_old 2021-04-19 21:05:50.524015224 +0200 +++ /var/tmp/diff_new_pack.UIwXDa/_new 2021-04-19 21:05:50.524015224 +0200 @@ -1,7 +1,7 @@ -From bf083a6f80b204325673732944b53a447f9e4171 Mon Sep 17 00:00:00 2001 +From cb696ab8168b611535c04f8780c4632a2dc0ec2a Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 2/4] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. @@ -451,5 +451,5 @@ + return nil +} -- -2.30.1 +2.30.2 ++++++ 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch ++++++ --- /var/tmp/diff_new_pack.UIwXDa/_old 2021-04-19 21:05:50.536015242 +0200 +++ /var/tmp/diff_new_pack.UIwXDa/_new 2021-04-19 21:05:50.540015248 +0200 @@ -1,7 +1,7 @@ -From 10d0381bf317221167af0930c552a8b27c7861a4 Mon Sep 17 00:00:00 2001 +From 759c1b0c2d4a3c89dea396510d2a1518ad2fcb2c Mon Sep 17 00:00:00 2001 From: Valentin Rothberg <vrothb...@suse.com> Date: Mon, 2 Jul 2018 13:37:34 +0200 -Subject: [PATCH 3/4] PRIVATE-REGISTRY: add private-registry mirror support +Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support NOTE: This is a backport/downstream patch of the upstream pull-request for Moby, which is still subject to changes. Please visit @@ -1142,5 +1142,5 @@ endpoints = []APIEndpoint{ -- -2.30.1 +2.30.2 ++++++ 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch ++++++ --- /var/tmp/diff_new_pack.UIwXDa/_old 2021-04-19 21:05:50.556015271 +0200 +++ /var/tmp/diff_new_pack.UIwXDa/_new 2021-04-19 21:05:50.556015271 +0200 @@ -1,7 +1,7 @@ -From 8cf5f05b8bcb5588bec92d5732e81f26fa632fce Mon Sep 17 00:00:00 2001 +From 9f27140b54e30eed9d3428b24c3ca9c340c48394 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <asa...@suse.de> Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 4/4] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, @@ -85,5 +85,5 @@ } -- -2.30.1 +2.30.2 ++++++ 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch ++++++ >From bb452793d224b00a3700af9fdd9b0f183e1141f1 Mon Sep 17 00:00:00 2001 From: Michal Rostecki <mroste...@opensuse.org> Date: Thu, 8 Apr 2021 14:42:02 +0100 Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup Before this change, cleanup of the btrfs driver (occuring on each daemon shutdown) resulted in disabling quotas. It was done with an assumption that quotas can be enabled or disabled on a subvolume level, which is not true - enabling or disabling quota is always done on a filesystem level. That was leading to disabling quota on btrfs filesystems on each daemon shutdown. This change fixes that behavior and removes misleading `subvol` prefix from functions and methods which set up quota (on a filesystem level). SUSE-Bugs: bsc#1175081 bsc#1183855 SUSE-Upstream-Commit: 1ec689c4c2ecda24ed8495451c53072bb0497871 Fixes: 401c8d176743 ("Add disk quota support for btrfs") Signed-off-by: Michal Rostecki <mroste...@opensuse.org> --- daemon/graphdriver/btrfs/btrfs.go | 50 +++++-------------------------- 1 file changed, 8 insertions(+), 42 deletions(-) diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go index 0499489d16e6..0720bb571f2e 100644 --- a/daemon/graphdriver/btrfs/btrfs.go +++ b/daemon/graphdriver/btrfs/btrfs.go @@ -96,7 +96,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap } if userDiskQuota { - if err := driver.subvolEnableQuota(); err != nil { + if err := driver.enableQuota(); err != nil { return nil, err } } @@ -165,18 +165,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) { // Cleanup unmounts the home directory. func (d *Driver) Cleanup() error { - err := d.subvolDisableQuota() - umountErr := mount.Unmount(d.home) - - // in case we have two errors, prefer the one from disableQuota() - if err != nil { + if err := mount.Unmount(d.home); err != nil { return err } - if umountErr != nil { - return umountErr - } - return nil } @@ -334,7 +326,7 @@ func (d *Driver) updateQuotaStatus() { d.once.Do(func() { if !d.quotaEnabled { // In case quotaEnabled is not set, check qgroup and update quotaEnabled as needed - if err := subvolQgroupStatus(d.home); err != nil { + if err := qgroupStatus(d.home); err != nil { // quota is still not enabled return } @@ -343,7 +335,7 @@ func (d *Driver) updateQuotaStatus() { }) } -func (d *Driver) subvolEnableQuota() error { +func (d *Driver) enableQuota() error { d.updateQuotaStatus() if d.quotaEnabled { @@ -369,32 +361,6 @@ func (d *Driver) subvolEnableQuota() error { return nil } -func (d *Driver) subvolDisableQuota() error { - d.updateQuotaStatus() - - if !d.quotaEnabled { - return nil - } - - dir, err := openDir(d.home) - if err != nil { - return err - } - defer closeDir(dir) - - var args C.struct_btrfs_ioctl_quota_ctl_args - args.cmd = C.BTRFS_QUOTA_CTL_DISABLE - _, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_QUOTA_CTL, - uintptr(unsafe.Pointer(&args))) - if errno != 0 { - return fmt.Errorf("Failed to disable btrfs quota for %s: %v", dir, errno.Error()) - } - - d.quotaEnabled = false - - return nil -} - func (d *Driver) subvolRescanQuota() error { d.updateQuotaStatus() @@ -437,11 +403,11 @@ func subvolLimitQgroup(path string, size uint64) error { return nil } -// subvolQgroupStatus performs a BTRFS_IOC_TREE_SEARCH on the root path +// qgroupStatus performs a BTRFS_IOC_TREE_SEARCH on the root path // with search key of BTRFS_QGROUP_STATUS_KEY. // In case qgroup is enabled, the retuned key type will match BTRFS_QGROUP_STATUS_KEY. // For more details please see https://github.com/kdave/btrfs-progs/blob/v4.9/qgroup.c#L1035 -func subvolQgroupStatus(path string) error { +func qgroupStatus(path string) error { dir, err := openDir(path) if err != nil { return err @@ -608,7 +574,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error { if d.options.minSpace > 0 && driver.options.size < d.options.minSpace { return fmt.Errorf("btrfs: storage size cannot be less than %s", units.HumanSize(float64(d.options.minSpace))) } - if err := d.subvolEnableQuota(); err != nil { + if err := d.enableQuota(); err != nil { return err } return subvolLimitQgroup(dir, driver.options.size) @@ -662,7 +628,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) { if quota, err := ioutil.ReadFile(d.quotasDirID(id)); err == nil { if size, err := strconv.ParseUint(string(quota), 10, 64); err == nil && size >= d.options.minSpace { - if err := d.subvolEnableQuota(); err != nil { + if err := d.enableQuota(); err != nil { return nil, err } if err := subvolLimitQgroup(dir, size); err != nil { -- 2.30.2 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.UIwXDa/_old 2021-04-19 21:05:50.624015374 +0200 +++ /var/tmp/diff_new_pack.UIwXDa/_new 2021-04-19 21:05:50.624015374 +0200 @@ -3,16 +3,16 @@ <param name="url">https://github.com/moby/moby.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">20.10.5_ce_%h</param> - <param name="revision">v20.10.5</param> + <param name="versionformat">20.10.6_ce_%h</param> + <param name="revision">v20.10.6</param> <param name="filename">docker</param> </service> <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/docker/cli.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="versionformat">20.10.5_ce</param> - <param name="revision">v20.10.5</param> + <param name="versionformat">20.10.6_ce</param> + <param name="revision">v20.10.6</param> <param name="filename">docker-cli</param> </service> <service name="tar_scm" mode="disabled"> @@ -20,7 +20,7 @@ <param name="scm">git</param> <param name="exclude">.git</param> <param name="versionformat">%H</param> - <param name="revision">fa125a3512ee0f6187721c88582bf8c4378bd4d7</param> + <param name="revision">b3507428be5b458cb0e2b4086b13531fb0706e46</param> <param name="filename">docker-libnetwork</param> </service> <service name="recompress" mode="disabled"> ++++++ docker-20.10.5_ce_363e9a88a11b.tar.xz -> docker-20.10.6_ce_8728dd246c3a.tar.xz ++++++ /work/SRC/openSUSE:Factory/docker/docker-20.10.5_ce_363e9a88a11b.tar.xz /work/SRC/openSUSE:Factory/.docker.new.12324/docker-20.10.6_ce_8728dd246c3a.tar.xz differ: char 15, line 1 ++++++ docker-cli-20.10.5_ce.tar.xz -> docker-cli-20.10.6_ce.tar.xz ++++++ ++++ 5985 lines of diff (skipped) ++++++ docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7.tar.xz -> docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7/drivers/bridge/port_mapping.go new/docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46/drivers/bridge/port_mapping.go --- old/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7/drivers/bridge/port_mapping.go 2020-12-15 17:25:34.000000000 +0100 +++ new/docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46/drivers/bridge/port_mapping.go 2021-01-25 17:42:33.000000000 +0100 @@ -49,8 +49,16 @@ } bs = append(bs, bIPv4) } + // Allocate IPv6 Port mappings - if ok := n.validatePortBindingIPv6(&bIPv6, containerIPv6, defHostIP); ok { + // If the container has no IPv6 address, allow proxying host IPv6 traffic to it + // by setting up the binding with the IPv4 interface if the userland proxy is enabled + // This change was added to keep backward compatibility + containerIP := containerIPv6 + if ulPxyEnabled && (containerIPv6 == nil) { + containerIP = containerIPv4 + } + if ok := n.validatePortBindingIPv6(&bIPv6, containerIP, defHostIP); ok { if err := n.allocatePort(&bIPv6, ulPxyEnabled); err != nil { // On allocation failure, release previously allocated ports. On cleanup error, just log a warning message if cuErr := n.releasePortsInternal(bs); cuErr != nil { @@ -67,7 +75,7 @@ // validatePortBindingIPv4 validates the port binding, populates the missing Host IP field and returns true // if this is a valid IPv4 binding, else returns false func (n *bridgeNetwork) validatePortBindingIPv4(bnd *types.PortBinding, containerIPv4, defHostIP net.IP) bool { - //Return early if there is a valid Host IP, but its not a IPv6 address + //Return early if there is a valid Host IP, but its not a IPv4 address if len(bnd.HostIP) > 0 && bnd.HostIP.To4() == nil { return false } @@ -85,10 +93,10 @@ } // validatePortBindingIPv6 validates the port binding, populates the missing Host IP field and returns true -// if this is a valid IP6v binding, else returns false -func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIPv6, defHostIP net.IP) bool { - // Return early if there is no IPv6 container endpoint - if containerIPv6 == nil { +// if this is a valid IPv6 binding, else returns false +func (n *bridgeNetwork) validatePortBindingIPv6(bnd *types.PortBinding, containerIP, defHostIP net.IP) bool { + // Return early if there is no container endpoint + if containerIP == nil { return false } // Return early if there is a valid Host IP, which is a IPv4 address @@ -108,9 +116,8 @@ return false } } - bnd.IP = containerIPv6 + bnd.IP = containerIP return true - } func (n *bridgeNetwork) allocatePort(bnd *types.PortBinding, ulPxyEnabled bool) error { @@ -132,7 +139,7 @@ portmapper := n.portMapper - if bnd.IP.To4() == nil { + if bnd.HostIP.To4() == nil { portmapper = n.portMapperV6 } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7/iptables/iptables.go new/docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46/iptables/iptables.go --- old/docker-libnetwork-fa125a3512ee0f6187721c88582bf8c4378bd4d7/iptables/iptables.go 2020-12-15 17:25:34.000000000 +0100 +++ new/docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46/iptables/iptables.go 2021-01-25 17:42:33.000000000 +0100 @@ -512,8 +512,14 @@ // Raw calls 'iptables' system command, passing supplied arguments. func (iptable IPTable) Raw(args ...string) ([]byte, error) { if firewalldRunning { + // select correct IP version for firewalld + ipv := Iptables + if iptable.Version == IPv6 { + ipv = IP6Tables + } + startTime := time.Now() - output, err := Passthrough(Iptables, args...) + output, err := Passthrough(ipv, args...) if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") { return filterOutput(startTime, output, args...), err }
